From 36c6d6bbb39d5f22f0ee18523635c6033a035dd3 Mon Sep 17 00:00:00 2001 From: INSUN PYO Date: Tue, 11 Sep 2018 13:27:06 +0900 Subject: [PATCH] Fix race condition between usb_host_destroy and fd_removed_cb fd_removed_cb is called by libusb_exit() -> usbi_io_exit() -> usbi_remove_poolfd() -> ctx->fd_removed_cb. fd_removed_cb uses context->gio_channels and context->channel_list_lock. So, you should not free and destroy it before calling libusb_exit(). Signed-off-by: INSUN PYO Change-Id: I5fdde607d19be9e4df9214489f91e3d33f41eaf6 --- src/usb_host.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/usb_host.c b/src/usb_host.c index 410acc4..2247bf7 100755 --- a/src/usb_host.c +++ b/src/usb_host.c @@ -578,14 +578,15 @@ int usb_host_destroy(usb_host_context_h context) fd = g_io_channel_unix_get_fd(ch->ch); g_source_remove(ch->source_tag); g_io_channel_unref(ch->ch); + context->gio_channels = g_list_delete_link(context->gio_channels, l); l = next; free(ch); _I("removed fd %d", fd); } + libusb_exit(context->lusb_ctx); g_list_free(context->gio_channels); pthread_mutex_destroy(&context->channel_list_lock); - libusb_exit(context->lusb_ctx); free(context); return USB_HOST_ERROR_NONE; -- 2.34.1